Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 25 replies
  • Subscribers 30 subscribers
  • Views 10728 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG to XG RED VPN With Multiple WAN interfaces

Carlos Cesario

Hi folks,

 

Could someone has ideia if is it possible create a RED VPn between XG devices  using multiple WAN interfaces in Branch and Head office ?

 

 

eg.

H.O WAN 1  ---------------RED TUN 1----------------------------   B.O WAN 1

H.O WAN 1  ---------------RED TUN 2----------------------------   B.O WAN 2

H.O WAN 2  ---------------RED TUN 3----------------------------   B.O WAN 1

H.O WAN 2  ---------------RED TUN 4----------------------------   B.O WAN 2

 

Best regards

 

Carlos



This thread was automatically locked due to age.
Parents
  • 0

    I guess, you cannot perform 4 tunnels, but 2. 

    The point is, XG is using a Random Outbound IP, if not specify via CLI.

    https://community.sophos.com/kb/en-us/122999

    But this command relies on the destination.

    So basically you cannot use it 4 times to bind it properly. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hi LuCar Toni,

     

    Thanks by your response.

    Well, I already suspected this, but I would like to confirm :)

    I would be interesting has a option to bind it.

     

    Best regards

    Carlos

  • 0 in reply to Carlos Cesario

    Lets wrap this topic up. 

    I guess, there is no real "reason" to build up 4 tunnels. 

     

     

     

     

    This is the standard scenario.

     

    On AB you would say, Port1 is reachable with Interface A, PortB is reachable with Interface B. 

     

     

     

    In Case of a Port not reachable.

     

    Question is, what is happening with your DNS? Because the Tunnel A-1 Is not there anymore, you could force XG to build up the Tunnel between A-2 with a DNS record.

    But : Would there be a real use case for this? Because you will have a drop in the "Performance" anyway. 

     

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hi LuCar, 

     

    The reason to usage 4 tunnels is because I will usage OSPF to routing across these tunnels, I like Ipsec Bind option in Cyberoam OS.

    With this I have total control about the path/routing/failover.

     

    Currently I have several Cyberoam OS devices using this model with IPSEC, and I´m lokking solution to convert it to Sophos XG.

     

    This is the reason :)

     

    Best regards

     

    Carlos

  • 0 in reply to Carlos Cesario

    Hi Carlos,

     

    You can set up 4 independent RED tunnels. But, if you need to apply Link Load Balancing (not failover), it would be possible with the release SFOS v18. So I think we need to wait for Sophos' SD-WAN feature which will be enabled on version 18.

     

    Cenk

Reply Children
  • 0 in reply to Cenk Tezdiyar

    Hi  tahnk yu by your feedback.

     

     

    Weel, and how can I do the following as LuCar told

     

     

    Head office Port WAN 1 ------------ Branch office Port Wan 1

    Head office Port WAN 2 ------------ Branch office Port Wan 2

     

    I tried setup firewall rules on Head office allowing the specific traffic comming Branch office port Wan 1 to Head office Port WAN 1 to portas 3400 tcp and 3410 udp, but it seeems there are a global rule that allowing it. 

    I cannot control this traffic.

    Any tip!?

     

    Regards

    Carlos

  • 0 in reply to Carlos Cesario

    You have to build up two tunnels.

    Tunnel1: XG A is Server, XG B Client. 

    Tunnel2: XG a is Client, XG B is Server. 

     

    https://community.sophos.com/kb/en-us/125101

     

    Client will Always connect. So Basically XG waits on all Interfaces for a Port 3400 connection. 

    You have to Control the Client Site, which interface should be used "outbound". 

     

    The KBA has a small note:

    • If the RED server firewall have more than one WAN interface, a sys-traffic-nat rule is necessary to force a correct NAT for the RED server firewall. This can be done in the XG Firewall's console.

    https://community.sophos.com/kb/en-us/122999

     

    This will more or less build up a redundancy in most scenario. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hi LuCar,

    Thanks again by your great sugestion.

    But sys-traffic-nat, or even static route does not work as expected with RED connections.

    Even using sys-traffic-nat or static route on client side, the RED connect by other WAN interface (outbound interface).  The RED connections does not respect this.

     

    Best regards

     

    Carlos

  • 0 in reply to Carlos Cesario

    I recently deployed this setup.

    Can you post your sys-nat rule? What did you insert into this rule? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hi LuCar,

    Sure....

     

    On Client Side

     

    sys-nat rule

     

    Network interfaces

     

     

     

    On Server Side

     

     

    As you can see the remote Ip address online is the IP address from Interface port B

     

     

    regards

     

    CArlos

  • 0 in reply to Carlos Cesario

    Hi folks.

    Any tip!?  :)

     

    Regards

    Carlos

  • 0 in reply to Carlos Cesario

    I assume 45. is your other XG? 

    Your other XG has one or two Interfaces? 

    Did you already verify via tcpdump, that this rule is not hitting / working? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    LuCar

     

    The 45. is my client side that I would like that Red Tunnel usage as outbound  :)

     

    the Both XG had two WAN interfaces

     

    Yes, with tcpdump on server side I can see traffic from my CLient side using the both WAN address, it seema Red Unnel ignore SNAT rule and choose randon the output interface.

     

    Regards

    Carlos

  • 0 in reply to Carlos Cesario

    You need to setup this sys-nat rule from the Client side, because the client will actually start the connection. 

    From Client, you are forcing XG to build up the Connection anyways with the GUI option. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    LuCar,

    After several tests and contact with Sophos Support - Ticket  #8799470

    I was informed that is not possible control the Client Outbound interface.

     

    >> Hi Carlos as we discussed that in scenario of site to site RED tunnel it would not be possible to control outbound traffic on client side of RED tunnel.

     

    This is really so bad to this scenario. :(

     

    Regards

    Carlos